golonzovsky · April 22, 2016 14:45
diff --git a/logstash.conf b/logstash.conf
 input {
    file {
        type => "core-ws"
        path => [ "C:\_dev\apache-tomcat-6.0.35\logs\core-ws.log" ]
        start_position => "end"
        codec => multiline {
          pattern => "^%{TIMESTAMP_ISO8601} "
          negate => true
          what => previous
        }
      }
      file {
        type => "portal"
        path => [ "C:\_dev\apache-tomcat-7.0.55\logs\portal.log" ]
        start_position => "end"
        codec => multiline {
          pattern => "^%{TIMESTAMP_ISO8601} "
          negate => true
          what => previous
        }
      }
 }

 filter {
  if [message] =~ /(.+request from remoteAddr.+X_FORWARDED_FOR.+)/ {
    grok {
       match => [ "message", ".+request from remoteAddr \[%{IPORHOST:remoteAddr}] and X_FORWARDED_FOR \[%{DATA:forwardIp}] uri=%{GREEDYDATA:callUri}"]
       add_tag => [ "address"]
    }
    geoip {
       source => "remoteAddr"
    }
  } else if [message] =~ /(.+reusing requestCorrelationId from header.+)/ {
    grok {
       match => [ "message", ".+reusing requestCorrelationId from header \(X-request-correlation-id=%{DATA:requestCorrelationId}\).*"]
       add_tag => [ "reuseCorrelationId"]
    }
  } else if [message] =~ /(.+is not in request headers.+creating new one: '.+)/ {
    grok {
       match => [ "message", ".+is not in request headers.+creating new one: '%{DATA:requestCorrelationId}'.*"]
       add_tag => [ "createCorrelationId"]
    }
  }

  grok {
     match => [ "message", "%{TIMESTAMP_ISO8601:date} +%{LOGLEVEL:level} +\[%{DATA:thread}]\[%{JAVACLASS:class}]\[%{DATA:requestCorrelationId}]\[%{DATA:user}] %{GREEDYDATA:message}"]
     add_field => { "env" => "KEN" }
  }

  date {
    match => ["logdate","YYYY-MMM-dd HH:mm:ss,SSS"]
    locale => "en"
  }
 
 }


 output {
  elasticsearch {
    host => localhost
  }
  # stdout { codec => rubydebug }
 }
	input {
	file {
	type => "core-ws"
	path => [ "C:\_dev\apache-tomcat-6.0.35\logs\core-ws.log" ]
	start_position => "end"
	codec => multiline {
	pattern => "^%{TIMESTAMP_ISO8601} "
	negate => true
	what => previous
	}
	}
	file {
	type => "portal"
	path => [ "C:\_dev\apache-tomcat-7.0.55\logs\portal.log" ]
	start_position => "end"
	codec => multiline {
	pattern => "^%{TIMESTAMP_ISO8601} "
	negate => true
	what => previous
	}
	}
	}

	filter {
	if [message] =~ /(.+request from remoteAddr.+X_FORWARDED_FOR.+)/ {
	grok {
	match => [ "message", ".+request from remoteAddr \[%{IPORHOST:remoteAddr}] and X_FORWARDED_FOR \[%{DATA:forwardIp}] uri=%{GREEDYDATA:callUri}"]
	add_tag => [ "address"]
	}
	geoip {
	source => "remoteAddr"
	}
	} else if [message] =~ /(.+reusing requestCorrelationId from header.+)/ {
	grok {
	match => [ "message", ".+reusing requestCorrelationId from header \(X-request-correlation-id=%{DATA:requestCorrelationId}\).*"]
	add_tag => [ "reuseCorrelationId"]
	}
	} else if [message] =~ /(.+is not in request headers.+creating new one: '.+)/ {
	grok {
	match => [ "message", ".+is not in request headers.+creating new one: '%{DATA:requestCorrelationId}'.*"]
	add_tag => [ "createCorrelationId"]
	}
	}

	grok {
	match => [ "message", "%{TIMESTAMP_ISO8601:date} +%{LOGLEVEL:level} +\[%{DATA:thread}]\[%{JAVACLASS:class}]\[%{DATA:requestCorrelationId}]\[%{DATA:user}] %{GREEDYDATA:message}"]
	add_field => { "env" => "KEN" }
	}

	date {
	match => ["logdate","YYYY-MMM-dd HH:mm:ss,SSS"]
	locale => "en"
	}

	}


	output {
	elasticsearch {
	host => localhost
	}
	# stdout { codec => rubydebug }
	}